My day: Back-porting Input Validation from ASP.NET 1.1 to ASP.NET 1.0
I don't know if this qualifies as evil, stupid, both, or neither, but here's a story.
Many clients move at a very, shall we say "measured" pace and don't take upgrading from Framework 1.0 to Framework 1.1 lightly. We are very security focused here and javascript injection attacks are always a problem. The client doesn't want want to upgrade to ASP.NET 1.1 until later this year, but they want to make sure they are in some way for script attacks.
So, what to do? Using Lutz's Reflector, Anakrino, and ILDASM I "examined" System.Web.CrossSiteScriptingValidation, HttpValidationException and others, and back-ported the equivalent to ASP.NET @Page Directive "validateInput = true" into an custom validateInput HttpModule. I hook PreRequestHandlerExecute and quite happily detect scripting attacks in ASP.NET 1.0.
Again, may be evil, but felt so good. When the site is upgraded to ASP.NET 1.1 later this year I'll just remove this line from the Web.config:
<httpModules><add name="ValidateInput" type="Corillian.Web.ValidateInput,ValidateInputASPNET10" />
</httpModules>
A couple of interesting questions came up, one of which was...
A while loop is expanded when compiling IL, and the C# equivalent is something like this:
goto L_0045;L_0040:
index = (index + 1);
L_0045:
if (index >= len)
{
goto L_005E;
}
if (CrossSiteScriptingValidation.IsAtoZ(s[index]))
{
goto L_0040;
}
L_005E:
Should I (for tidying up's sake) roll it back up to something like this: //Programmer intent: look for non-alphas...
while (index < len)
{
if (!CrossSiteScriptingValidation.IsAtoZ(s[index]))
break;
index++;
}
or just leave well-enough (and well-equivalent) alone? Remembering that this is a so very temporary and marginally not cool thing to do, perhaps it's best to let sleeping dogs lie.
About Scott
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
About Newsletter
Comments are closed.